background image

 

      Secured Branch Router Configuration Example

Before You Begin

2

OL-6329-01

  •

Firewall Websense URL Filtering

—The Firewall Websense URL Filtering feature enables your 

Cisco IOS firewall (also known as Cisco Secure Integrated Software) to interact with the Websense 
URL filtering software, thereby allowing you to prevent users from accessing specified websites on 
the basis of some policy. The Cisco IOS firewall works with the Websense server to know whether 
a particular URL should be allowed or denied (blocked). 

Before You Begin

Conventions

For more information on document conventions, see 

Conventions Used in Cisco Technical Tips

Components Used

The information in this document is based on the software and hardware versions below.

  •

Cisco 2801 router

  •

Cisco IOS Release 12.3(8)T4

  •

Advanced IP Services feature set

Note

The information in this document was created from the devices in a specific lab environment. All of the 
devices used in this document started with a cleared (default) configuration. If your network is live, make 
sure that you understand the potential impact of any command.

Related Products

This configuration can also be used with the following hardware: 

  •

Cisco 1800 series integrated services router (modular) 

  •

Cisco 2800 series integrated services router 

  •

Cisco 3800 series integrated services router 

A similar configuration can also be used with a Cisco 3800 series integrated services router that is 
equipped with a Cisco Content Engine network module (NM-CE-BP), which has an embedded Websense 
URL filtering server (UFS). 

Summary of Contents for 2800 Series

Page 1: ...ce page 1 Conventions page 1 Obtaining Documentation page 2 Documentation Feedback page 3 Obtaining Technical Assistance page 3 Obtaining Additional Publications and Information page 5 Objectives These documents explains how to configure and maintain your Cisco router Audience These documents are designed for the person installing configuring and maintaining the Cisco router who should be familiar...

Page 2: ...com Cisco also provides several ways to obtain technical assistance and other technical resources These sections explain how to obtain technical information from Cisco Systems Cisco com You can access the most current Cisco documentation at this URL http www cisco com cisco web support index html Table 1 Command Conventions Convention Description boldface font Commands and keywords italic font Var...

Page 3: ...alling Cisco Systems Corporate Headquarters California USA at 408 526 7208 or elsewhere in North America by calling 1 800 553 NETS 6387 Documentation Feedback For your convenience a documentation feedback form is located at the bottom of every online document You can submit comments by using the response card if present behind the front cover of your document or by writing to the following address...

Page 4: ...e information before placing a service call Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information After you describe your situation the TAC Service Request Tool provides recommended solutions If your iss...

Page 5: ...ources Cisco Marketplace provides a variety of Cisco books reference guides and logo merchandise Visit Cisco Marketplace the company store at this URL http www cisco com go marketplace The Cisco Products and Services Index describes the networking products offered by Cisco Systems as well as ordering and customer support services Access the Products and Services Index at this URL http www cisco co...

Page 6: ...olver EtherChannel EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Linksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient and TransPath are r...

Page 7: ...ed integration module AIM slots The Cisco 2811 router in addition to the features in the Cisco 2801 supports one single wide network module enhanced NME four single width or two double wide HWICs and optional inline power output of up to 160 Watts In Cisco 2821 routers in addition to the features in the Cisco 2811 the network module slot adds support for a single wide network module enhanced exten...

Page 8: ... Software Configuration Using the Cisco IOS Command Line Interface Finding Feature Documentation Configuration Examples Troubleshooting and Maintenance Upgrading the System Image Using CompactFlash Memory Cards Using the ROM Monitor Changing the Configuration Register Settings Troubleshooting Links Note Besides the setup facility and the IOS command line interface a third way of configuring Cisco ...

Page 9: ...irewall Policy Network Address Translation NAT VPNs routing protocols and other options For More Information About SDM and About Your Router For additional information about SDM features refer to the SDM online help Additional information about SDM is also available at this URL http www cisco com go sdm Here you can find detailed information about SDM including an SDM FAQ data sheet customer prese...

Page 10: ...a host name for the router set passwords and configure an interface for communication with the management network If the following messages appear at the end of the startup sequence the setup command facility has been invoked automatically System Configuration Dialog At any point you may enter a question mark for help Use ctrl c to abort configuration dialog at any prompt Default settings are in s...

Page 11: ...nable secret password This password is not encrypted less secure and can be seen when viewing the configuration The enable password is used when you do not specify an enable secret password with some older software versions and some boot images Enter enable password xxxxxx Step 6 Enter the virtual terminal password which prevents unauthenticated access to the router through ports other than the co...

Page 12: ...ssword xxxxxx line vty 0 4 password xxxxxx snmp server community public no ip routing interface FastEthernet0 0 no shutdown speed 100 duplex half ip address 172 1 2 3 255 255 0 0 interface FastEthernet0 1 shutdown no ip address end Step 11 Respond to the following prompts Select 2 to save the initial configuration 0 Go to the IOS command prompt without saving this config 1 Return back to the setup...

Page 13: ...r outages Use the copy running config startup config command at the privileged EXEC mode prompt Router to save the configuration to NVRAM Step 1 To proceed with manual configuration using the CLI enter no when the power up messages end Would you like to enter the initial configuration dialog yes no no Step 2 Press Return to terminate autoinstall and continue with manual configuration Would you lik...

Page 14: ...ailable through the standard Cisco IOS startup sequence The configuration file shipped with your router does the following Provides an IP address for your Fast Ethernet interface enabling an interface to your LAN Enables your router s HTTP HTTPS server allowing HTTP access from your LAN Creates a default username cisco and password cisco with privilege level 15 Enables Telnet SSM access to the rou...

Page 15: ...iguration to use the IOS startup sequence you can still use SDM To do so you must configure the router to support web based applications configure it with a user account defined with privilege level 15 and then configure it to support the Telnet and SSH protocols These changes can be made using a telnet session or using a console connection Configuring the Router to Support Web Based Applications ...

Page 16: ...available Step 2 Enter the username and password that you specified in Step 2 of Configuring the Router to Support Web Based Applications a User with Priv 15 and Telnet SSH To continue configuring your router see the Initial Configuration Using the Cisco Router and Security Device Manager section on page 3 Copyright 2004 Cisco Systems Inc All rights reserved CCVP the Cisco logo and Welcome to the ...

Page 17: ... guide that shipped with your router The software configuration documentation describes how to perform configuration tasks by using the CLI However this specific document describes how to perform basic configurations by using the Cisco IOS setup command facility Contents Platforms Supported by This Document page 1 Information About the Setup Command Facility page 2 Using the Setup Command Facility...

Page 18: ...et passwords and configure an interface for communication with the management network Note The messages that will be displayed will vary depending on your router model the installed interface modules and the software image The following example and the user entries in bold are shown as examples only Note If you make a mistake while using the setup command facility you can exit and run the setup co...

Page 19: ...ble password that is different from the enable secret password This password is not encrypted and is less secure and can be seen when viewing the configuration The enable password is used when you do not specify an enable secret password with some older software versions and some boot images Enter enable password xxxxxx Step 7 Enter the virtual terminal password which prevents unauthenticated acce...

Page 20: ...guration is displayed The following configuration command script was created hostname myrouter enable secret 5 1 D5P6 PYx41 lQIASK HcSbfO5q1 enable password xxxxxx line vty 0 4 password xxxxxx snmp server community public no ip routing interface FastEthernet0 0 no shutdown media type 100BaseX half duplex ip address 172 1 2 3 255 255 0 0 interface FastEthernet0 1 shutdown no ip address end Step 11 ...

Page 21: ...uter model the installed interface modules and the software image The following example and the user entries in bold are shown as examples only Fast Ethernet Interface Configuration The following is a brief example of configuring a Fast Ethernet interface by using the setup command facility Do you want to configure FastEthernet0 0 interface yes Use the 100 Base TX RJ 45 connector yes Operate in fu...

Page 22: ...pe command More details follow in the Selecting the Port for the Gigabit Ethernet Interface section on page 6 The following are two examples of configurations for the Gigabit Ethernet GE interface The first example shows a sample configuration for RJ 45 mode applicable to either port gig 0 0 or port gig 0 1 interface GigabitEthernet0 0 ip address 1 3 153 13 255 0 0 0 duplex auto speed auto media t...

Page 23: ...frames received There is no way in current MAC hardware to track the number of pause frames received or sent Flow control is on by default Currently there is no command to turn off the flow control capability for any of the Gigabit Ethernet ports in any of the RJ45 or SFP modes Speed Duplex Settings for the Gigabit Ethernet Ports Typically speed and or duplex communications are configured manually...

Page 24: ...Enable AUTO duplex configuration full Force full duplex operation Note If the speed and duplex setting for g0 0 in SFP mode is speed 1000 and duplex full autonegotiation is in forced mode and autonegotation is turned off For all other mode settings of speed or duplex for SFP autonegotiation is turned on If speed 1000 and duplex full modes are specified for both g0 0 and g0 1 interfaces in copper m...

Page 25: ...8 subnet bits mask is 8 Configure IPX on this interface no yes IPX network number 8 Frame Relay Encapsulation The following is a sample configuration for Frame Relay encapsulation The following lmi types are available to be set when connected to a frame relay switch 0 none 1 ansi 2 cisco 3 q933a Enter lmi type 2 Note The setup command facility prompts you for the data link connection identifier DL...

Page 26: ...r remote x25 address 4321 Do you want to map the remote machine s x25 address to IP address yes IP address for the remote interface 192 0 0 2 Do you want to map the remote machine s x25 address to IPX address yes IPX address for the remote interface 40 1234 5678 Enter lowest 2 way channel 1 Enter highest 2 way channel 64 Enter frame window K 7 Enter Packet window W 2 Enter Packet size must be powe...

Page 27: ...on this interface no yes IPX network number 8 Configure Vines on this interface no Configure XNS on this interface no Configure Apollo on this interface no Asynchronous Synchronous Serial Interface Synchronous Configuration The following is a sample configuration for synchronous configuration for an asynchronous synchronous serial interface Do you want to configure Serial1 0 interface yes Enter mo...

Page 28: ...in dce mode The following clock rates are supported on the serial interface 0 1200 2400 4800 9600 19200 38400 56000 64000 72000 125000 148000 500000 800000 1000000 1300000 2000000 4000000 8000000 choose speed from above 2000000 1200 Configure IP on this interface yes IP address for this interface 192 0 0 1 Subnet mask for this interface 255 0 0 0 Class A network is 2 0 0 0 8 subnet bits mask is 8 ...

Page 29: ...ress for the remote interface 40 1234 5678 SMDS Encapsulation The following is a sample configuration for switched multimegabit data service SMDS encapsulation Enter smds address for the local interface c141 5556 1415 We will need to map the remote smds station s address to the remote station s IP IPX address Enter smds address for the remote interface c141 5556 1414 Do you want to map the remote ...

Page 30: ...No further configuration is needed for HDLC encapsulation Do you have service profile identifiers SPIDs assigned no y Enter SPID1 12345 Enter SPID2 12345 Note The setup command facility prompts you for the service profile identifier SPID number only if you specify basic 5ess basic ni1 or basic dms100 for the switch type Do you want to map the remote machine s IP address in dialer map yes IP addres...

Page 31: ... to a frame relay switch 0 none 1 ansi 2 cisco 3 q933a Enter lmi type 2 Note The setup command facility prompts you for the DLCI number only if you specify none for the LMI type If you accept the default or specify another LMI type the DLCI number is provided by the specified protocol Enter the DLCI number for this interface 16 Do you want to map a remote machine s IP address to dlci yes IP addres...

Page 32: ... SMDS encapsulation Enter smds address for the local interface c141 5556 1415 We will need to map the remote smds station s address to the remote station s IP address Enter smds address for the remote interface c141 5556 1414 Do you want to map the remote machine s smds address to IP address yes IP address for the remote interface 192 0 0 1 Do you want to map the remote machine s smds address to I...

Page 33: ...g by Switch Type ISDN BRI provisioning refers to the types of services provided by the ISDN BRI line Although provisioning is performed by your ISDN BRI service provider you must tell the provider what you want Table 2 lists the provisioning you that should order for the router based on switch type Table 2 ISDN Provisioning by Switch Type Switch Type Provisioning 5ESS Custom BRI For data only 2 B ...

Page 34: ...directory number LDN on the router for both ISDN BRI B channels use the following isdn spid command in privileged EXEC mode Router config if isdn spid1 spid number ldn Router config if isdn spid2 spid number ldn Note Although the LDN is an optional parameter in the command you may need to enter it so that the router can answer calls made to the second directory number 5ESS National ISDN NI 1 BRI F...

Page 35: ...ure this interface controller no Will you be using PRI on this controller yes E1 T1 PRI Mode The following is a sample configuration for E1 T1 PRI mode The following framing types are available esf sf Enter the framing type esf The following linecode types are available ami b8zs Enter the line code type b8zs Enter number of time slots 24 Do you want to configure Serial1 0 23 interface yes Configur...

Page 36: ...ntication Router remote_router Enter a password for CHAP authentication secret Note The password which is used by the Challenge Handshake Authentication Protocol CHAP authentication process is case sensitive and must exactly match the password for the remote router Frame Relay Encapsulation The following is a sample configuration for Frame Relay encapsulation The following lmi types are available ...

Page 37: ...mote machine s IP address to vpi and vci yes IP address for the remote interface 6 0 0 1 Do you want to map the remote machine s IPX address to vpi and vci yes IPX address for the remote interface 40 0060 34c6 90ed SMDS Encapsulation The following is a sample configuration for switched multimegabit data service SMDS encapsulation Enter smds address for the local interface c141 5556 1415 We will ne...

Page 38: ...annel groups no y Enter number of time slots 18 3 Configure more channel groups no y Enter number of time slots 15 Configure more channel groups no Note The following sections describe the prompts for each encapsulation type No further configuration is needed for High Level Data Link Control HDLC encapsulation PPP Encapsulation The following is a sample configuration for PPP encapsulation Would yo...

Page 39: ...0 0 8 subnet bits mask is 8 If Internetwork Packet Exchange IPX is configured on the router the setup command facility prompts you for the IPX map Do you want to map a remote machine s IPX address to dlci yes IPX address for the remote interface 40 0060 34c6 90ed LAPB Encapsulation The following is a sample configuration for Link Access Procedure Balanced LAPB encapsulation lapb circuit can be eit...

Page 40: ...nection or you need connection for more than eight hours per day Switched Mode The following is a sample configuration for a switched mode interface Do you want to configure Serial0 0 0 interface yes Some encapsulations supported are ppp hdlc frame relay lapb atm dxi smds x25 Choose encapsulation type ppp Switched 56k interface may either be in switched Dedicated mode Choose from either switched d...

Page 41: ...k is 8 Completing the Configuration When you have provided all the information requested by the setup command facility the configuration appears To complete your router configuration follow these steps Step 1 A setup command facility prompt asks if you want to save this configuration If you answer no the configuration information you entered is not saved and you return to the router enable prompt ...

Page 42: ...served CCVP the Cisco logo and Welcome to the Human Network are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn is a service mark of Cisco Systems Inc and Access Registrar Aironet Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Ent...

Page 43: ...guration for your router Contents Platforms Supported by This Document page 1 Prerequisites for Basic Software Configuration Using the Cisco IOS CLI page 2 Restrictions for Basic Software Configuration Using the Cisco IOS CLI page 2 How to Perform a Basic Software Configuration Using the Cisco IOS CLI page 2 Where to Go Next page 19 Additional References page 19 Platforms Supported by This Documen...

Page 44: ...asic Software Configuration Using the Cisco IOS CLI If Cisco Router and Security Device Manager SDM is installed on your router we recommend that you use Cisco SDM instead of the Cisco IOS CLI to perform the initial software configuration To access SDM see the quick start guide that shipped with your router How to Perform a Basic Software Configuration Using the Cisco IOS CLI This section contains...

Page 45: ...me must also follow the rules for Advanced Research Projects Agency Network ARPANET hostnames They must start with a letter end with a letter or digit and have as interior characters only letters digits and hyphens Names must be 63 characters or fewer For more information see RFC 1035 Domain Names Implementation and Specification SUMMARY STEPS 1 enable 2 configure terminal 3 hostname name 4 Verify...

Page 46: ...because it uses an improved encryption algorithm Use the enable password command only if you boot an older image of the Cisco IOS software or if you boot older boot ROMs that do not recognize the enable secret command For more information see the Configuring Passwords and Privileges chapter in the Cisco IOS Security Configuration Guide Also see the Improving Security on Cisco Routers tech note Res...

Page 47: ...communication parameters specify autobaud connections and configure terminal operating parameters for the terminal that you are using For more information on configuring the console line see the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide In particular see the Configuring Operating Characteristics for Terminals and Troubleshooting and Fault Management chapters S...

Page 48: ... 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 line console 0 Example Router config line console 0 Configures the console line and starts the line configuration command collection mode Step 4 exec timeout minutes seconds Example Router config line exec t...

Page 49: ...faces chapter of the Cisco IOS Interface and Hardware Component Configuration Guide For information on interface numbering see the quick start guide that shipped with your router Note Cisco 1841 and Cisco 2801 routers have a hardware limitation on the Fast Ethernet ports FE0 0 and FE0 1 In half duplex mode when traffic reaches or exceeds 100 capacity equal to or greater than 5 Mbps in each directi...

Page 50: ...nfigure terminal Enters global configuration mode Step 4 interface fastethernet gigabitethernet 0 port Example Router config interface fastethernet 0 1 Example Router config interface gigabitethernet 0 0 Specifies the Ethernet interface and enters interface configuration mode Note For information on interface numbering see the quick start guide that shipped with your router Step 5 description stri...

Page 51: ...ative methods of specifying a default route see the Configuring a Gateway of Last Resort Using IP Commands tech note The Cisco IOS software uses the gateway router of last resort if it does not have a better route for a packet and if the destination is not a connected network This section describes how to select a network as a default route a candidate route for computing the gateway of last resor...

Page 52: ...f prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 ip routing Example Router config ip routing Enables IP routing Step 4 ip route dest prefix mask next hop ip address admin distance permanent Example Router config ip route 192 168 24 0 255 255 255 0 172 28 99 2 Establishes a static route Step 5 ip default network network number or ip rout...

Page 53: ...form a Basic Software Configuration Using the Cisco IOS CLI Step 6 end Example Router config end Returns to privileged EXEC mode Step 7 show ip route Example Router show ip route Displays the current routing table information Verify that the gateway of last resort is set Command or Action Purpose ...

Page 54: ... Router What to Do Next Proceed to the Configuring Virtual Terminal Lines for Remote Console Access section on page 12 Configuring Virtual Terminal Lines for Remote Console Access Virtual terminal vty lines are used to allow remote access to the router This section shows you how to configure the virtual terminal lines with a password so that only authorized users can remotely access the router The...

Page 55: ...ample Router configure terminal Enters global configuration mode Step 3 line vty line number ending line number Example Router config line vty 0 4 Starts the line configuration command collection mode for the virtual terminal lines vty for remote console access Make sure that you configure all vty lines on your router Note To verify the number of vty lines on your router use the line vty command S...

Page 56: ...ine This section describes how to enter line configuration mode for the auxiliary line How you configure the auxiliary line depends on your particular implementation of the auxiliary AUX port See the following documents for information on configuring the auxiliary line Configuring a Modem on the AUX Port for EXEC Dialin Connectivity tech note http www cisco com warp public 471 mod aux exec html Co...

Page 57: ...rticular implementation of the AUX port DETAILED STEPS What to Do Next Proceed to the Verifying Network Connectivity section on page 15 Verifying Network Connectivity This section describes how to verify network connectivity for your router Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Ro...

Page 58: ...size 100 Timeout in seconds 2 Extended commands n Sweep range of sizes n Type escape sequence to abort Sending 5 100 byte ICMP Echos to 192 168 7 27 timeout is 2 seconds Success rate is 100 percent round trip min avg max 1 2 4 ms Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 ping ip address hostname Example Router ...

Page 59: ...Y STEPS 1 enable 2 copy running config startup config DETAILED STEPS What to Do Next Proceed to the Saving Backup Copies of Your Configuration and System Image section on page 17 Saving Backup Copies of Your Configuration and System Image To aid file recovery and minimize downtime in case of file corruption we recommend that you save backup copies of the startup configuration file and the Cisco IO...

Page 60: ...o learn the name of the system image file and the use of the copy flash tftp privileged EXEC command to copy the system image c3640 2is mz to a TFTP server The router uses the default username and password Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 copy nvram startup config ftp rcp tftp Example Router copy nvram...

Page 61: ...es related to basic software configuration using the Cisco IOS CLI Related Documents Basic Software Configuration Topic Related Document Title or Link Chassis installation cable connections power up procedures and interface numbering Quick start guide for your router Cisco Security Device Manager SDM http www cisco com go sdm Guidelines for assigning the router hostname RFC 1035 Domain Names Imple...

Page 62: ... settings that network administrators should consider changing on their routers especially on their border routers to improve security Improving Security on Cisco Routers tech note Note To view this document you must have an account on Cisco com If you do not have an account or have forgotten your username or password click Cancel at the login dialog box and follow the instructions that appear IP ...

Page 63: ... Unity Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Linksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient ...

Page 64: ...22 Basic Software Configuration Using the Cisco IOS Command Line Interface OL 5593 01 Additional References ...

Page 65: ... back through the firewall The traffic is allowed back through the firewall only if the traffic is part of the same session as the original traffic that triggered CBAC when exiting through the firewall Cisco IOS Intrusion Prevention System IPS The Cisco IOS IPS feature restructures the existing Cisco IOS Intrusion Detection System IDS allowing customers to choose to load the default built in signa...

Page 66: ...this document is based on the software and hardware versions below Cisco 2801 router Cisco IOS Release 12 3 8 T4 Advanced IP Services feature set Note The information in this document was created from the devices in a specific lab environment All of the devices used in this document started with a cleared default configuration If your network is live make sure that you understand the potential imp...

Page 67: ... anywhere in the network In this case it is on the Fast Ethernet 0 1 side of the secured branch router Configurations This document uses the configuration shown below router show running config Building configuration Enable the authentication authorization and accounting AAA access control model aaa new model Identify the Cisco Secure Authentication Control Server ACS as a member of a AAA server g...

Page 68: ... authentication cache entry along with its associated dynamic user access control list is managed after a period of inactivity ip auth proxy inactivity timer 120 Create an authentication proxy rule in this example it is named aprule Set HTTP to trigger the authentication proxy ip auth proxy name aprule http Configure the Cisco IOS Intrusion Protection System IPS feature Specify the location from w...

Page 69: ... 255 0 ip access group 111 in ip classless The following command establishes a static route to the HTTP server which in this example has an IP address of 192 168 102 119 ip route 192 168 102 0 255 255 255 0 FastEthernet0 1 Enable the HTTP server on your system Also specify that the authentication method used for AAA login service should be used for authenticating HTTP server users ip http server i...

Page 70: ...nalysis of show command output You must have an account on Cisco com If you do not have an account or have forgotten your username or password click Cancel at the login dialog box and follow the instructions that appear Commands for Verifying Firewall Websense URL Filtering show ip urlfilter cache Displays the maximum number of entries that can be cached into the cache table and the number of entr...

Page 71: ... count 0 Maxever packet buffer count 0 Maxever cache entry count 0 Total requests sent to URL Filter Server 13 Total responses received from URL Filter Server 13 Total requests allowed 9 Total requests blocked 4 Commands for Verifying Cisco IOS Firewall Authentication Proxy show ip auth proxy Displays the authentication proxy entries or configuration Router show ip auth proxy cache Authentication ...

Page 72: ... FA N 2 2 6105 0 Y AD HIGH 0 0 0 100 30 FA N 2 2 6105 1 Y ADR HIGH 0 0 0 100 30 FA N 2 2 6188 0 Y AD HIGH 0 0 0 100 30 FA N S43 6189 0 Y AD HIGH 0 0 0 100 30 FA N S43 6189 1 Y ADR HIGH 0 0 0 100 30 FA N S43 6190 0 Y AD HIGH 0 0 0 100 30 FA N 2 1 6190 1 Y ADR HIGH 0 0 0 100 30 FA N 2 1 6191 0 Y AD HIGH 0 0 0 100 30 FA N 2 1 6191 1 Y ADR HIGH 0 0 0 100 30 FA N 2 1 6192 0 Y AD HIGH 0 0 0 100 30 FA N ...

Page 73: ...9202 0 Y AD HIGH 0 0 0 100 30 FA N S40 9203 0 Y AD HIGH 0 0 0 100 30 FA N S40 9204 0 Y AD HIGH 0 0 0 100 30 FA N S40 9205 0 Y AD HIGH 0 0 0 100 30 FA N S40 9206 0 Y AD HIGH 0 0 0 100 30 FA N S40 9207 0 Y AD HIGH 0 0 0 100 30 FA N S40 9208 0 Y AD HIGH 0 0 0 100 30 FA N S40 9209 0 Y AD HIGH 0 0 0 100 30 FA N S40 9210 0 Y AD HIGH 0 0 0 100 30 FA N S40 9211 0 Y AD HIGH 0 0 0 100 30 FA N S40 9212 0 Y A...

Page 74: ...systems Router debug ip urlfilter detailed Urlfilter Detailed Debugs debugging is on Router Aug 26 20 11 58 538 URLF got cache idle timer event Aug 26 20 11 58 538 URLF cache table is about to overflow delete idle entries Aug 26 20 12 00 962 URLF creating uis 0x64EF00A0 pending request 1 Aug 26 20 12 00 962 URLF domain name not found in the exclusive list Aug 26 20 12 00 962 URLF got an cbac queue...

Page 75: ...684 dst_addr 192 168 102 119 src_addr 192 168 1 118 dst_port 80 src_port 1900 Aug 30 23 16 07 684 clientport 1900 state 0 Aug 30 23 16 07 684 AUTH PROXY proto_flag 4 dstport_index 4 Aug 30 23 16 07 684 PSH ACK 2787182962 SEQ 24350098 LEN 282 Aug 30 23 16 07 684 dst_addr 192 168 102 119 src_addr 192 168 1 118 dst_port 80 src_port 1900 Aug 30 23 16 07 684 clientport 1900 state 0 Aug 30 23 16 07 688 ...

Page 76: ...se Solver EtherChannel EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Linksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient and TransPath a...

Page 77: ...ices The small branch office requires a robust and integrated voice mail solution The integrated services routers also support various options for WAN uplink and integrated LAN switching modules Land Mobile Radio LMR is used by an enterprise for several reasons which include loss prevention premise safety and security and Push to Talk PTT communication for mobile workers within range of the radio ...

Page 78: ... slots Cisco CallManager seamlessly connects to Cisco CME over an H 323 trunk defined on the Cisco CallManager Release 3 3 3 or later Cisco CME Release 3 2 manages the local phone network Cisco CME and Cisco Unity Express enable users to use a gateway as though it were a PBX coupled to a voice mail system Cisco Unity Express with Cisco Service Engine 1 1 on the NM CUE provides voice mail and auto ...

Page 79: ... reflects use of devices in a specific lab environment All devices used in this configuration example started with a cleared default configuration If you are working with a live network ensure that you understand the potential effects of any command before you use it The configuration example presented in this document depicts a combination of features on a single branch office router Users of thi...

Page 80: ...t appear Configuration Tips The gigabit port on the router does not provide inline power Routing should be enabled and assumed to be configured The external flash card on the integrated services routers holds the router image VLAN database graphical user interface GUI files for Cisco CME and Cisco Unity Express It should not be removed during the normal operation of the router The LMR integration ...

Page 81: ... username and passwords for Web server and local authentication username cisco password 7 1511021F0725 clock timezone PST 8 clock summer time PDT recurring no network clock participate slot 1 no network clock participate slot 2 no network clock participate slot 3 no network clock participate slot 4 no network clock participate wic 0 no network clock participate wic 1 network clock participate wic ...

Page 82: ...onsole aaa authorization exec default local aaa authorization network groupauthor local aaa session id common ip subnet zero no ip source route ip cef Configure a DHCP address pool for each IP phone ip dhcp excluded address 192 168 10 1 192 168 10 99 ip dhcp pool NONAT network 10 1 153 0 255 255 255 248 default router 10 1 153 1 dns server 10 1 162 183 10 1 156 120 option 150 ip 10 1 152 9 domain ...

Page 83: ...ck to back offers the possibility of using E 164 number as a conference ID or for using the multicast stream for application such as Hoot and Holler Cisco CME offers 3 party conference calling and is the recommended method for a small branch office the following T1 loopback cable is not required for configuring the conferencing features Cisco IOS supports audio mixing of loudest three streams The ...

Page 84: ... and Holler using multicast on router The multicast streaming of packets from the local router uses the VIF interface to derive the local ip address and the port of the packets This can be verified by the show command show voip rtp connection interface Vif1 ip address 10 1 153 41 255 255 255 252 ip pim sparse dense mode WAN uplink interface Serial0 0 0 ip address 10 1 152 30 255 255 255 252 ip pim...

Page 85: ...im sparse dense mode ip nat inside ip virtual reassembly interface Vlan110 ip address 10 1 153 1 255 255 255 248 ip pim sparse dense mode ip virtual reassembly OSPF used as the routing protocol for scenario router ospf 1 router id 10 1 152 9 log adjacency changes network 10 1 152 9 0 0 0 0 area 0 network 10 1 152 10 0 0 0 0 area 0 network 10 1 152 28 0 0 0 3 area 0 network 10 1 152 140 0 0 0 3 are...

Page 86: ...ssion protocol multicast voice port 0 2 0 1 auto cut through voice port 0 2 0 2 auto cut through voice port 0 2 0 3 auto cut through voice port 0 2 0 4 auto cut through voice port 0 2 0 3 auto cut through voice port 0 2 0 4 auto cut through voice port 0 2 0 5 auto cut through voice port 0 2 0 6 auto cut through E M ports connected to the LMR Land Mobile Radio Each radio may have a different radio ...

Page 87: ...the multicast dial peer to convert it into a multicast stream The 3 party mixing algorithm takes care of conferencing between the dialed parties voice port 0 2 1 3 auto cut through timeouts call disconnect 3 connection trunk 21111 voice port 0 2 1 4 auto cut through timeouts call disconnect 3 connection trunk 21111 voice port 0 2 1 5 auto cut through timeouts call disconnect 3 connection trunk 211...

Page 88: ...IP to multicast bridging for LMR integration destination pattern 20480 voice class permanent 1 session protocol multicast session target ipv4 239 192 17 191 20480 codec g711ulaw vad aggressive dial peer voice 20481 voip description VoIP to multicast bridging for LMR integration destination pattern 20481 voice class permanent 1 session protocol multicast session target ipv4 239 192 17 192 20480 cod...

Page 89: ...scription VoIP to local multicast conference bridge destination pattern 2111 port 0 2 0 5 dial peer voice 9 pots description VoIP to local multicast conference bridge destination pattern 2111 port 0 2 0 6 Dial Cisco CME Configuration with services configuration telephony service fxo hook flash load 7910 P00403020214 load 7960 7940 P00306000300 max ephones 27 max dn 40 ip source address 10 1 152 9 ...

Page 90: ...an 27749 timeout 18 ephone dn 4 dual line number 27728 description Monica name Monica call forward busy 27749 call forward noan 27749 timeout 10 ephone dn 5 dual line number 27729 description Jen Shue Shih name Jen Shue Shih call forward busy 27749 call forward noan 27749 timeout 10 ephone dn 6 dual line number 27730 description Mike name Mike call forward busy 27749 call forward noan 27749 timeou...

Page 91: ...all forward busy 27749 call forward noan 27749 timeout 18 ephone dn 12 dual line number 27736 description Estelle name Estelle call forward busy 27749 call forward noan 27749 timeout 18 ephone dn 13 dual line ephone dn 14 dual line ephone dn 15 dual line number 27739 call forward busy 27749 call forward noan 27749 timeout 18 ephone dn 16 dual line number 27740 call forward busy 27749 call forward ...

Page 92: ... ephone dn 21 dual line number 27745 call forward busy 27749 call forward noan 27749 timeout 18 ephone dn 25 ephone dn 27 number 27749 call forward busy 27749 call forward noan 27749 timeout 18 ephone dn 39 number 8000 mwi off ephone dn 40 number 8001 mwi on ephone 1 mac address 0003 4713 5554 type CIPC button 1 1 ephone 2 mac address 0002 8A3E 6606 type CIPC button 1 2 ephone 3 mac address 0001 0...

Page 93: ...6 ephone 7 mac address 0009 6B30 E399 type CIPC button 1 7 ephone 8 mac address 000B BE37 1AB1 type 7960 button 1 8 ephone 9 mac address 0006 D74B 15B3 type 7960 button 1 9 ephone 10 mac address 000B 5F92 5784 type 7960 button 1 10 ephone 11 mac address 000C CE3A 87FA type 7960 button 1 11 ephone 12 mac address 000C CE35 1B23 type 7960 button 1 12 ephone 13 mac address 0002 8A9B 0CE5 type CIPC but...

Page 94: ...ne 16 mac address 0030 94C3 BE45 type 7960 button 1 16 ephone 17 ephone 18 ephone 19 ephone 20 ephone 21 line con 0 authorization exec LOCAL stopbits 1 line aux 0 stopbits 1 line 66 no activation character no exec transport preferred none transport input all transport output all line 130 no activation character no exec transport preferred none transport input all transport output all line 258 no a...

Page 95: ...ow commands for the voice gateway show voice port summary Displays a summary of all voice ports show voip rtp connections Displays VoIP RTP active connections show voip dsp Displays DSP information show voice trace Displays voice channel configuration information for all DSP channels show voice call summary Displays the call status for all voice ports show running config Displays the contents of t...

Page 96: ...output for the show telephony service command on the Cisco CME CCME CUE SJC show telephony service CONFIG Version 3 2 Version 3 2 Cisco CallManager Express For on line documentation please see www cisco com univercd cc td doc product access ip_ph ip_ks index htm ip source address 10 1 152 9 port 2000 load 7910 P00403020214 load 7960 7940 P00303020214 max ephones 27 max dn 40 max conferences 8 dspf...

Page 97: ...0 2 51961 Telecaster 7960 keepalive 39556 max_line 6 button 1 dn 15 number 27739 CH1 IDLE CH2 IDLE The following is an example of output for the show voice port summary command on the branch office router 3845 gw show voice port summary IN OUT PORT CH SIG TYPE ADMIN OPER STATUS STATUS EC 0 2 0 1 01 e m imd up dorm idle idle y 0 2 0 2 02 e m imd up dorm idle idle y 0 2 0 3 03 e m imd up dorm idle i...

Page 98: ...4 0 0 14 C5510 014 02 g711ulaw 4 4 1 busy idle 0 0 0 2 1 6 06 0 1833 5379 C5510 014 03 None 4 4 1 busy idle 0 0 0 2 0 5 05 0 0 14 C5510 014 04 None 4 4 1 busy idle 0 0 0 2 0 6 06 0 0 14 C5510 014 05 g711ulaw 4 4 1 busy idle 0 0 0 2 1 5 05 0 1424 5334 C5510 014 06 g711ulaw 4 4 1 busy idle 0 0 0 2 1 4 04 0 1402 5057 DSP SIGNALING CHANNELS DSP DSP DSPWARE CURR BOOT PAK TX RX TYPE NUM CH CODEC VERSION...

Page 99: ...0 1 1 g711ulaw y S_CONNECT S_TRUNKED 0 2 1 1 1 g711ulaw y S_CONNECT S_TRUNKED 0 2 1 2 2 g711ulaw y S_CONNECT S_TRUNKED 0 2 1 3 3 g711ulaw y S_CONNECT S_TRUNKED 0 2 1 4 4 g711ulaw y S_CONNECT S_TRUNKED 0 2 1 5 5 g711ulaw y S_CONNECT S_TRUNKED 0 2 1 6 6 g711ulaw y S_CONNECT S_TRUNKED 0 3 0 FXSLS_ONHOOK 0 3 1 FXSLS_ONHOOK 0 3 2 FXSLS_ONHOOK 0 3 3 FXSLS_ONHOOK 50 0 1 1 EFXS_ONHOOK 50 0 9 1 EFXS_ONHOOK...

Page 100: ...ion asf none nsc wma wmv mp3 wmt broadcast alias name lanka source mms 24 6 215 172 AAA wmt enable multicast accept license agreement ip name server 10 68 162 183 ip name server 10 72 156 120 wccp router list 1 10 1 152 249 wccp web cache router list num 1 wccp version 2 username admin password 1 bVmDmMMmZAPjY username admin privilege 15 authentication login local enable primary authentication con...

Page 101: ...s Duration in seconds Type Transport Source Pkts_Recd Bytes_Recd Duration BW Server IP Filename Stream Id LIVE MMS TCP RMT_MMS 807995 1165556557 44531 216 24 6 215 172 AAA 5878 Outgoing Streams Client IP Type Transport Source State Pkts_sent Bytes_sent Duration BW Server IP Filename Stream Id 10 21 96 174 LIVE HTTP RMT_MMS Play 216441 312540804 11946 216 24 6 215 172 lanka 13830 10 21 81 206 LIVE ...

Page 102: ...5 100 00 On Demand Content 0 0 00 By Transport Protocol MMSU 32 42 67 MMST 1 1 33 HTTP 42 56 00 By Source of Content Local 0 0 00 Remote MMS 75 100 00 Remote HTTP 0 0 00 Multicast 0 0 00 CDN Related WMT Requests CDN Content Hits 0 0 00 CDN Content Misses 0 0 00 CDN Content Live 0 0 00 CDN Content Errors 0 0 00 Unicast Bytes Statistics Total unicast incoming bytes 1178064843 Total of Total Unicast ...

Page 103: ...70301 Total of Total Bytes Saved By Pre positioned content 0 0 00 By Live splitting 3520070301 100 00 By Cache hit 0 0 00 Total of Total Live Outgoing Bytes Live Splitting Incoming bytes 1178064843 25 08 Outgoing bytes 4698135144 100 00 Bytes saved 3520070301 74 92 Total of Bytes Cache Total Caching Bytes cache miss 0 0 00 Bytes cache hit 0 0 00 Bytes cache total 0 0 00 Bytes cache bypassed 0 Tota...

Page 104: ...0 Max 0 000 Concurrent Bandwidth to Remote Servers Kbps Current 216 765 Max 216 765 Error Statistics Total request errors 0 Errors generated by this box Reach MAX connections 0 Reach MAX incoming bandwidth 0 Reach MAX outgoing bandwidth 0 Reach MAX incoming bit rate 0 Reach MAX outgoing bit rate 0 MMSU under wccp 0 MMSU not allowed 0 MMST not allowed 0 MMSU T not allowed 0 HTTP not allowed 0 1st t...

Page 105: ...output for the show interface service engine 4 0 command on the Cisco CME for Cisco Unity Express 3845 gw show interface service engine 4 0 Service Engine4 0 is up line protocol is up Hardware is I82559FE address is 000e 8335 7c30 bia 000e 8335 7c30 Interface is unnumbered Using address of Loopback2 10 1 152 241 MTU 1500 bytes BW 100000 Kbit DLY 100 usec reliability 255 255 txload 1 255 rxload 1 2...

Page 106: ...e engine 4 0 status command on the Cisco CME for Cisco Unity Express 3845 gw service module service Engine 4 0 status Service Module is Cisco Service Engine4 0 Service Module supports session via TTY line 258 Service Module is in Steady state Getting status from the Service Module please wait cisco service engine 1 1 The following is an example of output for the service module service engine 4 0 s...

Page 107: ...ame Rachel phonenumber 27726 username chandler phonenumber 27727 username Monica phonenumber 27728 username Jeshih phonenumber 27729 username Mike phonenumber 27730 username Phoebe phonenumber 27731 username Cosmo phonenumber 27732 username Jerry phonenumber 27733 username George phonenumber 27734 username Frank phonenumber 27735 username Estelle phonenumber 27736 groupname Administrators member c...

Page 108: ...cn engine end engine ccn subsystem jtapi ccm manager address end subsystem ccn subsystem sip gateway address 10 1 152 241 end subsystem ccn trigger sip phonenumber 27748 application autoattendant enabled locale en_US maxsessions 8 end trigger ccn trigger sip phonenumber 27749 application voicemail enabled locale en_US maxsessions 8 end trigger ccn trigger sip phonenumber 27751 application promptmg...

Page 109: ...00 description Cosmo mailbox end mailbox voicemail mailbox owner Jerry size 3000 description Jerry mailbox end mailbox voicemail mailbox owner George size 3000 description George mailbox end mailbox voicemail mailbox owner Frank size 3000 description Frank mailbox end mailbox voicemail mailbox owner Estelle size 3000 description Estelle mailbox end mailbox end The following is an example of output...

Page 110: ...w voicemail limits Default Mailbox Size seconds 3000 Default Caller Message Size seconds 60 Maximum Recording Size seconds 900 Default Message Age days 30 System Capacity minutes 6000 Default Prompt Language en_US Operator Telephone 0 The following is an example of output for the show ccn application command on Cisco Unity Express se 10 32 152 242 show ccn application Name ciscomwiapplication Desc...

Page 111: ...ype SIP Application promptmgmt Locale en_US Idle Timeout 10000 Enabled yes Maximum number of sessions 1 Name 27748 Type SIP Application autoattendant Locale en_US Idle Timeout 10000 Enabled yes Maximum number of sessions 8 se 10 32 152 242 Verification Screens Examples The following display screen examples depict the graphical user interface for Cisco CallManager Cisco CallManager Express Cisco CM...

Page 112: ...n Solution for Group Applications Configuration Example Verify 36 OL 6574 01 Cisco CallManager Screen Examples The screen display example below shows Cisco CallManager Release 3 3 3 trunk configuration for a Cisco CME ...

Page 113: ...IP Communication Solution for Group Applications Configuration Example Verify 37 OL 6574 01 The screen display example below depicts media termination point MTP software configuration ...

Page 114: ...IP Communication Solution for Group Applications Configuration Example Verify 38 OL 6574 01 Cisco CME Screen Examples The screen display example below identifies Cisco CallManager extensions ...

Page 115: ...IP Communication Solution for Group Applications Configuration Example Verify 39 OL 6574 01 The screen display example below provides details about Cisco CME phones ...

Page 116: ...ation Solution for Group Applications Configuration Example Verify 40 OL 6574 01 Cisco Unity Express Screen Examples The screen display example below lists voice mailboxes on Cisco Unity Express user configuration ...

Page 117: ...IP Communication Solution for Group Applications Configuration Example Verify 41 OL 6574 01 The screen display example below provides details about voice mailboxes on Cisco Unity Express ...

Page 118: ...ing tech notes IP Security Troubleshooting Understanding and Using debug Commands Troubleshooting Reference Documents and Commands The following references and command recommendations offer guidance for troubleshooting Cisco CME based Cisco Unity Express implementations Note Before issuing debug commands see Important Information on Debug Commands For troubleshooting and debugging VoIP call basics...

Page 119: ...and collects debug information only for signaling events This command can also be useful in resolving problems with signaling to a PBX debug voip ccapi This command traces the execution path through the call control application programming interface API which serves as the interface between the call session application and the underlying network specific software You can use the output from this c...

Page 120: ...nity Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Linksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient an...

Page 121: ...e Network VPN of IP Security IPSec encrypted tunnels Techniques used include Internet Key Exchange IKE dead peer detection DPD split tunneling and group policy on the server with Domain Name Server DNS information Windows Information Name Service WINS information domain name and an IP address pool for clients Headquarters uses an EzVPN concentrator a Cisco 3800 series router with an ATM interface ...

Page 122: ...gorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec IPSec can protect one or more data flows between a pair of hosts between a pair of security gateways or between a security gateway and a host ISAKMP Internet Security Association Key Management Protocol A protocol for key exchange encryption and authentication ISAKMP requires at least one pair...

Page 123: ...rking in a live network ensure that you understand the potential impact of any command before you use it Note When configuring stateful failover for IPSec on the Cisco 2811 router you may get the following message if there is no AIM VPN module installed crypto_ha_ipsec 4 crypto_ha_not_supported_by_hw 2811 Once an AIM VPN module is installed in the Cisco 2811 router this error message will no longe...

Page 124: ...c IP address 10 32 152 26 Private IP address pool 192 168 1 0 24 The Branch 1 location callout 8 uses a Cisco 1841 router with these characteristics EzVPN client using client mode DSL access to the Internet WIC 1SHDSL interface card installed Public IP address 10 32 152 46 117861 IP IP IP IP IP IP IP IP IP 1 2 3 4 5 7 8 9 6 1 Headquarters location 6 DSL link from the Branch 1 router to the Interne...

Page 125: ...Easy VPN Configuration Example Configure 5 OL 6340 01 Private IP address pool 192 168 3 0 24 ...

Page 126: ...ration Current configuration 6824 bytes version 12 3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password encryption hostname EzVPN Hub boot start marker boot end marker enable secret 5 1 t8oN hXnGodPh8ZM ka6k 9aO51 username admin secret 5 1 cfjP kKpB7e3pfKXfpK0RIqX E username ezvpn spoke2 secret 5 1 vrSS AhSPxEUnPOsSpJkGdzjXg username ezvpn s...

Page 127: ... dynamic map INT_MAP 1 set security association lifetime kilobytes 530000000 set security association lifetime seconds 14400 set transform set TRANSFORM 1 crypto map INT_MAP client authentication list USER_AAA crypto map INT_MAP isakmp authorization list GROUP_AAA crypto map INT_MAP client configuration address respond crypto map INT_MAP 30000 ipsec isakmp dynamic INT_MAP interface GigabitEthernet...

Page 128: ...t4 5 switchport access vlan 10 no ip address interface FastEthernet4 6 switchport access vlan 10 no ip address interface FastEthernet4 7 switchport access vlan 10 no ip address interface FastEthernet4 8 switchport access vlan 10 no ip address interface FastEthernet4 9 switchport access vlan 10 no ip address interface FastEthernet4 10 switchport access vlan 10 no ip address interface FastEthernet4 ...

Page 129: ...p local pool VPN POOL 10 1 1 1 10 1 1 10 ip classless ip route 0 0 0 0 0 0 0 0 10 32 152 25 ip http server no ip http secure server control plane line con 0 line aux 0 line vty 0 4 login authentication USERLIST end Branch 1 Router Configuration Cisco 1841 Router EzVPN Spoke 1 show running config Building configuration Current configuration 4252 bytes version 12 3 no service pad service timestamps ...

Page 130: ... lookup ip domain name cisco com ip sap cache timeout 30 ip ssh time out 30 ip ids po max events 100 no ftp server write enable IPSec configuration crypto ipsec client ezvpn VPN1 connect auto group VPN1 key cisco123 mode client peer 10 32 152 26 username ezvpn spoke1 password cisco1 interface FastEthernet0 0 description private interface ip address 192 168 2 1 255 255 255 0 duplex auto speed auto ...

Page 131: ...e aux 0 line vty 0 4 login authentication USERLIST end Branch 2 Router Configuration Cisco 2811 Router EzVPN Spoke 2 show running config Building configuration Current configuration 4068 bytes version 12 3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password encryption hostname EzVPN Spoke 2 boot start marker boot end marker enable secret 5 1 ...

Page 132: ...6 username ezvpn spoke2 password cisco2 interface FastEthernet0 0 description private interface ip address 192 168 3 1 255 255 255 0 duplex auto speed auto crypto ipsec client ezvpn VPN1 inside interface FastEthernet0 1 no ip address duplex auto speed auto shutdown interface Serial0 0 0 description public interface ip address 10 32 150 46 255 255 255 252 crypto ipsec client ezvpn VPN1 ip classless...

Page 133: ...ishment of crypto connections to the remote EzVPN clients EzVPN Hub Feb 23 10 33 10 663 CRYPTO 5 SESSION_STATUS Crypto tunnel is UP Peer 10 32 150 46 500 Id VPN1 Feb 23 10 33 37 439 CRYPTO 5 SESSION_STATUS Crypto tunnel is UP Peer 10 32 152 46 500 Id VPN1 The following examples show sample output for the show crypto ipsec sa and show crypto ipsec client ezvpn commands The following is sample outpu...

Page 134: ...ort Y outbound ah sas outbound pcp sas protected vrf local ident addr mask prot port 0 0 0 0 0 0 0 0 0 0 remote ident addr mask prot port 192 168 3 0 255 255 255 0 0 0 current_peer 10 32 150 46 500 PERMIT flags pkts encaps 0 pkts encrypt 0 pkts digest 0 pkts decaps 0 pkts decrypt 0 pkts verify 0 pkts compressed 0 pkts decompressed 0 pkts not compressed 0 pkts compr failed 0 pkts not decompressed 0...

Page 135: ...er0 Current State IPSEC_ACTIVE Last Event SOCKET_UP Address 10 1 1 3 Mask 255 255 255 255 DNS Primary 192 168 168 183 DNS Secondary 192 168 226 120 NBMS WINS Primary 192 168 179 89 NBMS WINS Secondary 192 168 2 87 Default Domain cisco com The following is sample output from the show crypto ipsec client ezvpn command performed using the configuration on the EzVPN Spoke 2 location EzVPN Spoke 2 show...

Page 136: ... 26 Debug output resumes May 24 03 04 51 927 EZVPN VPN1 Current State CONNECT_REQUIRED May 24 03 04 51 927 EZVPN VPN1 Event CONNECT May 24 03 04 51 927 EZVPN VPN1 ezvpn_connect_request May 24 03 04 51 927 EZVPN VPN1 New State READY May 24 03 04 51 999 EZVPN VPN1 Current State READY May 24 03 04 51 999 EZVPN VPN1 Event CONN_UP May 24 03 04 51 999 EZVPN VPN1 ezvpn_conn_up 7F890E16 DB923EE3 67C9C0D2 ...

Page 137: ...nknown Unsupported Attr BACKUP_SERVER 0x7009 May 24 03 04 52 039 EZVPN Unknown Unsupported Attr APPLICATION_VERSION 0x7 May 24 03 04 52 039 EZVPN VPN1 ezvpn_nat_config May 24 03 04 52 043 EZVPN VPN1 New State SS_OPEN May 24 03 04 52 047 EZVPN VPN1 Current State SS_OPEN May 24 03 04 52 047 EZVPN VPN1 Event SOCKET_READY May 24 03 04 52 047 EZVPN VPN1 No state change The following line shows the conn...

Page 138: ...Easy VPN Configuration Example Related Information 18 OL 6340 01 ...

Page 139: ...er EtherChannel EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Linksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient and TransPath are regi...

Page 140: ...Easy VPN Configuration Example Related Information 20 OL 6340 01 ...

Page 141: ...rading floor financial institutions for communications to branch offices The configuration scenario emphasizes implementation of the quality of service QoS and VPN capabilities the configuration has the following characteristics All traffic between two client branch sites and headquarters passes through a VPN of IPSec encrypted tunnels This implementation of Cisco V3 PN features the use of Protoco...

Page 142: ...n in this document is based on these software and hardware versions At Headquarters a Cisco 3845 router with a Cisco CallManager cluster with ATM access to the Internet At Branch 1 a Cisco 2801 router with a WIC SHDSL V2 interface card installed and with DSL access to the Internet At Branch 2 a Cisco 2811 router with a serial interface connection to the Internet Cisco IOS Release 12 3 11 T or late...

Page 143: ...ed in this document use the Cisco IOS Command Lookup tool You must have an account on Cisco com If you do not have an account or have forgotten your username or password click Cancel at the login dialog box and follow the instructions that appear Configuration Tips Make sure that the tunnels work before you apply the crypto maps Apply IPSec crypto maps to both the tunnel interface and the physical...

Page 144: ... access to the Internet Public IP address 10 32 150 46 30 Private IP address pool 192 168 3 0 24 Configurations This document uses the following configurations Headquarters Office Configuration Cisco 3845 Router page 4 Branch 1 Router Configuration Cisco 2801 Router page 9 Branch 2 Router Configuration Cisco 2811 Router page 14 Headquarters Office Configuration Cisco 3845 Router HUB R1 show runnin...

Page 145: ...ic 3 no network clock participate aim 0 no network clock participate aim 1 aaa new model ENABLE AAA AND USE LOCAL AUTHENTICATION FOR VPN CONNECTIONS aaa authentication login USERLIST local aaa session id common ip subnet zero ip cef CREATE DHCP POOL FOR INTERNAL CLIENTS ON VLAN 10 ip dhcp excluded address 192 168 1 1 ip dhcp pool LOCAL network 192 168 1 0 255 255 255 0 default router 192 168 1 1 n...

Page 146: ...p policy 10 encr 3des authentication pre share group 2 SPECIFY THAT ISAKMP CLIENTS SPOKE ROUTERS WILL NOT NEED TO USE XAUTH USERNAME AND PASSWORD WHEN CONNECTING crypto isakmp key cisco address 10 32 150 46 no xauth crypto isakmp key cisco address 10 32 153 34 no xauth crypto ipsec transform set TRANSFORM_1 esp 3des esp sha hmac DEFINE THE REMOTE SPOKES THEIR IP ADDRESSES AND ANY POLICIES THAT NEE...

Page 147: ...y tunnel source ATM1 0 tunnel destination 10 32 153 34 crypto map INT_CM THIS LOOPBACK INTERFACE ACTS AS THE MULTICAST RP interface Loopback100 ip address 192 168 4 1 255 255 255 255 ip pim sparse dense mode THIS VIF INTERFACE IS USED AS THE MULTICAST SOURCE FOR THE VOICE ENDPOINT interface Vif1 ip address 192 168 6 1 255 255 255 0 ip pim sparse dense mode NOT USED interface GigabitEthernet0 0 no ...

Page 148: ...CE FOR CONNECTING INTERNAL HOSTS interface Vlan10 description Private interface ip address 192 168 1 1 255 255 255 0 ip pim sparse dense mode ENABLE ROUTING FOR ALL RELEVANT NETWORKS INTERNAL USER SUBNET LOOPBACK FOR RP AND VIF FOR VOICE router ospf 1 log adjacency changes network 192 168 1 0 0 0 0 255 area 0 network 192 168 4 1 0 0 0 0 area 0 network 192 168 6 0 0 0 0 255 area 0 DEFINE STATIC ROU...

Page 149: ...3 connection trunk 100 voice port 0 1 1 THIS DIAL PEER CONNECTS THE VOICE PORT TO MULTICAST GROUP 239 168 1 100 g711 CODEC 64k IS USED AND VAD IS ENABLED dial peer voice 100 voip destination pattern 100 session protocol multicast session target ipv4 239 168 1 100 19890 codec g711ulaw vad aggressive line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 login authentication USERLIST end Branch 1 ...

Page 150: ...ticipate wic 8 no network clock participate aim 0 no network clock participate aim 1 mmi polling interval 60 no mmi auto configure no mmi pvc mmi snmp timeout 180 aaa new model aaa authentication login USERLIST local aaa session id common ip subnet zero ip cef ip dhcp excluded address 192 168 2 1 ip dhcp pool LOCAL network 192 168 2 0 255 255 255 0 default router 192 168 2 1 no ip domain lookup ip...

Page 151: ...ass data bandwidth percent 20 class class default fair queue SET THE IKE POLICY TO USE 3DES crypto isakmp policy 10 encr 3des authentication pre share group 2 crypto isakmp key cisco address 10 32 152 26 no xauth crypto ipsec transform set TRANSFORM_1 esp 3des esp sha hmac SPECIFY REMOTE PEER crypto map INT_CM 1 ipsec isakmp description Peer device HUB R1 set peer 10 32 152 26 set security associa...

Page 152: ...O ATM PVC 8 35 IS USED IN THIS EXAMPLE interface ATM2 0 no ip address no atm ilmi keepalive dsl equipment type CPE dsl operating mode GSHDSL symmetric annex A dsl linerate AUTO pvc 0 35 encapsulation aal5snap pvc 8 35 vbr nrt 2000 1000 encapsulation aal5mux ppp Virtual Template1 interface FastEthernet4 0 no ip address interface FastEthernet4 1 no ip address interface FastEthernet4 2 no ip address ...

Page 153: ...host 10 32 152 26 control plane CONFIGURE THE VOICE PORT AND LINK IT TO DIAL PEER 100 THIS CONNECTION IS PERMANENT THE VOICE CLASS WAS DEFINED EARLIER IN THE CONFIGURATION AND ESTABLISHES AN ALWAYS ON CONNECTION voice port 1 0 voice class permanent 1 timeouts call disconnect 3 connection trunk 100 voice port 1 1 voice port 1 2 voice port 1 3 THIS DIAL PEER CONNECTS THE VOICE PORT TO MULTICAST GROU...

Page 154: ... memory size iomem 25 mmi polling interval 60 no mmi auto configure no mmi pvc mmi snmp timeout 180 aaa new model aaa authentication login USERLIST local aaa session id common ip subnet zero ip cef ip dhcp excluded address 192 168 3 1 ip dhcp pool LOCAL network 192 168 3 0 255 255 255 0 default router 192 168 3 1 no ip domain lookup ip domain name cisco com ip multicast routing ip audit notify log...

Page 155: ...1 class map match all video match ip precedence 4 class map match all voice match ip dscp ef policy map LLQ class control traffic bandwidth percent 5 class voice priority percent 35 class video bandwidth percent 15 class data bandwidth percent 20 class class default fair queue interface Tunnel0 description Peer device HUB R1 bandwidth 10000 ip unnumbered FastEthernet0 0 ip mtu 1420 ip pim sparse d...

Page 156: ...0 description Public interface ip address 10 32 150 46 255 255 255 252 service policy output LLQ crypto map INT_CM interface Vlan1 no ip address router ospf 1 log adjacency changes network 192 168 3 0 0 0 0 255 area 0 network 192 168 5 0 0 0 0 255 area 0 ip classless ip route 0 0 0 0 0 0 0 0 10 32 150 45 ip route 0 0 0 0 0 0 0 0 Serial0 0 0 ip http server no ip http secure server ip access list ex...

Page 157: ...l registered customers only which allows you to view an analysis of show command output In summary show crypto isakmp sa Shows whether the remote routers have successfully connected show crypto ipsec sa Shows information about each IPSec SA show ip ospf neighbor Shows whether the router has Open Shortest Path First OSPF neighbors show ip route Shows whether the remote networks and multicast subnet...

Page 158: ...4 QM_IDLE 29 0 10 32 152 26 10 32 150 46 QM_IDLE 31 0 The following is an output example for the show crypto ipsec sa command performed using the configuration on the Headquarters router HUB R1 show crypto ipsec sa interface Tunnel0 Crypto map tag INT_CM local addr 10 32 152 26 protected vrf local ident addr mask prot port 10 32 152 26 255 255 255 255 47 0 remote ident addr mask prot port 10 32 15...

Page 159: ...ress failed 0 send errors 5 recv errors 0 local crypto endpt 10 32 152 26 remote crypto endpt 10 32 150 46 path mtu 1420 media mtu 1420 current outbound spi D3C362F0 inbound esp sas spi 0x4589EBE8 1166666728 transform esp 3des esp sha hmac in use settings Tunnel slot 0 conn id 5219 flow_id 99 crypto map INT_CM crypto engine type Hardware engine_id 2 sa timing remaining key lifetime k sec 528510577...

Page 160: ...caps 123829 pkts decrypt 123829 pkts verify 123829 pkts compressed 0 pkts decompressed 0 pkts not compressed 0 pkts compr failed 0 pkts not decompressed 0 pkts decompress failed 0 send errors 66 recv errors 0 local crypto endpt 10 32 152 26 remote crypto endpt 10 32 153 34 path mtu 1420 media mtu 1420 current outbound spi 69111392 inbound esp sas spi 0xD5823DEF 3582082543 transform esp 3des esp sh...

Page 161: ...510577 14267 ike_cookies 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size 8 bytes replay detection support Y spi 0xC172073D 3245475645 transform esp 3des esp sha hmac in use settings Tunnel slot 0 conn id 5221 flow_id 101 crypto map INT_CM crypto engine type Hardware engine_id 2 sa timing remaining key lifetime k sec 522108046 14267 ike_cookies 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size 8 bytes replay...

Page 162: ...3 crypto map INT_CM crypto engine type Hardware engine_id 2 sa timing remaining key lifetime k sec 508969984 10202 ike_cookies DE2C7D5A FB6197B3 795753FB 41D07F6D IV size 8 bytes replay detection support Y inbound ah sas inbound pcp sas outbound esp sas spi 0x69111392 1762726802 transform esp 3des esp sha hmac in use settings Tunnel slot 0 conn id 5214 flow_id 94 crypto map INT_CM crypto engine ty...

Page 163: ...support Y inbound ah sas inbound pcp sas outbound esp sas spi 0x2A87D473 713544819 transform esp 3des esp sha hmac in use settings Tunnel slot 0 conn id 5220 flow_id 100 crypto map INT_CM crypto engine type Hardware engine_id 2 sa timing remaining key lifetime k sec 528510577 14262 ike_cookies 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size 8 bytes replay detection support Y spi 0xD3C362F0 3552797424 ...

Page 164: ... O 192 168 2 0 24 110 11 via 192 168 2 1 00 12 50 Tunnel1 O 192 168 3 0 24 110 11 via 192 168 3 1 00 12 50 Tunnel0 S 0 0 0 0 0 1 0 via 10 32 152 25 The following is an output example for the show ip pim neighbors command performed using the configuration on the Headquarters router HUB R1 show ip pim neighbor PIM Neighbor Table Neighbor Interface Uptime Expires Ver DR Address Prio Mode 192 168 3 1 ...

Page 165: ...Found 1 active RTP connections The following is an output example for the show voice call summary command performed using the configuration on the Headquarters router HUB R1 show voice call summary PORT CODEC VAD VTSP STATE VPM STATE 0 1 0 g711ulaw y S_CONNECT S_TRUNKED 0 1 1 FXSLS_ONHOOK The following is an output example for the show class map command performed using the configuration on the Hea...

Page 166: ...old 64 packets pkts matched bytes matched 0 0 depth total drops no buffer drops 0 0 0 Class map data match all 0 packets 0 bytes 5 minute offered rate 0 bps drop rate 0 bps Match ip precedence 2 Queueing Output Queue Conversation 267 Bandwidth 20 Bandwidth 20000 kbps Max Threshold 64 packets pkts matched bytes matched 0 0 depth total drops no buffer drops 0 0 0 Class map class default match any 97...

Page 167: ...mmon to both Headquarters and branch verification The following commands are used for the remote locations only show policy map interface virtual access 4 output Shows how traffic has been queued on the DSL interface Branch 1 Note that different queues have different packet counts because traffic is assigned on the basis of DCSP and IP precedence values show policy map interface serial 0 0 0 outpu...

Page 168: ...nd spi D5823DEF inbound esp sas spi 0x69111392 1762726802 transform esp 3des esp sha hmac in use settings Tunnel slot 0 conn id 5151 flow_id 31 crypto map INT_CM crypto engine type Hardware engine_id 2 sa timing remaining key lifetime k sec 508937407 10703 ike_cookies 795753FB 41D07F6D DE2C7D5A FB6197B3 IV size 8 bytes replay detection support Y inbound ah sas inbound pcp sas outbound esp sas spi ...

Page 169: ...e settings Tunnel slot 0 conn id 5152 flow_id 32 crypto map INT_CM crypto engine type Hardware engine_id 2 sa timing remaining key lifetime k sec 508938237 10700 ike_cookies 795753FB 41D07F6D DE2C7D5A FB6197B3 IV size 8 bytes replay detection support Y outbound ah sas outbound pcp sas interface Virtual Access3 Crypto map tag INT_CM local addr 10 32 153 34 protected vrf local ident addr mask prot p...

Page 170: ...mask prot port 10 32 153 34 255 255 255 255 47 0 remote ident addr mask prot port 10 32 152 26 255 255 255 255 47 0 current_peer 10 32 152 26 500 PERMIT flags origin_is_acl pkts encaps 78628 pkts encrypt 78628 pkts digest 78628 pkts decaps 118675 pkts decrypt 118675 pkts verify 118675 pkts compressed 0 pkts decompressed 0 pkts not compressed 0 pkts compr failed 0 pkts not decompressed 0 pkts decom...

Page 171: ...r area candidate default U per user static route o ODR P periodic downloaded static route Gateway of last resort is 10 32 153 33 to network 0 0 0 0 192 168 4 0 32 is subnetted 1 subnets O 192 168 4 1 110 11 via 192 168 1 1 00 33 28 Tunnel0 O 192 168 5 0 24 110 21 via 192 168 1 1 00 33 28 Tunnel0 10 0 0 0 8 is variably subnetted 3 subnets 2 masks C 10 32 153 33 32 is directly connected Virtual Acce...

Page 172: ...C_CONNECT voice on signal on master status trunk connected sequence oos no action pattern timing idle 0 restart 0 standby 0 timeout 65535 supp_all 0 supp_voice 0 keep_alive 0 timer oos_ais_timer 0 timer 0 The following is an output example for the show voip rtp connections command performed using the configuration on the Branch 1 router Branch 1 show voip rtp connections VoIP RTP active connection...

Page 173: ... 0 0 depth total drops no buffer drops 0 0 0 Class map voice match all 3241999 packets 920726516 bytes 5 minute offered rate 0 bps drop rate 0 bps Match ip dscp ef Queueing Strict Priority Output Queue Conversation 264 Bandwidth 35 Bandwidth 350 kbps Burst 8750 Bytes pkts matched bytes matched 3217794 913852296 total drops bytes drops 0 0 Class map video match all 0 packets 0 bytes 5 minute offere...

Page 174: ...55 DPU version 0 HSP version 2 2 21 ALPHA Time running 0 Seconds Compression Yes DES Yes 3 DES Yes AES CBC Yes 128 192 256 AES CNTR No Maximum buffer length 4096 Maximum DH index 1000 Maximum SA index 1000 Maximum Flow index 2000 Maximum RSA key size 2048 crypto engine name Cisco VPN Software Implementation crypto engine type software serial number 70107010 crypto engine state installed crypto eng...

Page 175: ... F5DE05AD 59F8CBF0 5B2E8553 IV size 8 bytes replay detection support Y spi 0xD3C362F0 3552797424 transform esp 3des esp sha hmac in use settings Tunnel slot 0 conn id 5153 flow_id 33 crypto map INT_CM crypto engine type Hardware engine_id 2 sa timing remaining key lifetime k sec 521045477 14364 ike_cookies 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size 8 bytes replay detection support Y inbound ah sa...

Page 176: ...75 14361 ike_cookies 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size 8 bytes replay detection support Y spi 0xD3C362F0 3552797424 transform esp 3des esp sha hmac in use settings Tunnel slot 0 conn id 5153 flow_id 33 crypto map INT_CM crypto engine type Hardware engine_id 2 Branch 2 sa timing remaining key lifetime k sec 521045425 14360 ike_cookies 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size 8 bytes re...

Page 177: ... 0 0 0 8 is variably subnetted 2 subnets 2 masks C 10 32 150 44 30 is directly connected Serial0 0 0 O 192 168 6 0 24 110 11 via 192 168 1 1 00 31 10 Tunnel0 O 192 168 7 0 24 110 21 via 192 168 1 1 00 31 10 Tunnel0 O 192 168 1 0 24 110 11 via 192 168 1 1 00 31 11 Tunnel0 O 192 168 2 0 24 110 21 via 192 168 1 1 00 31 11 Tunnel0 C 192 168 3 0 24 is directly connected FastEthernet0 0 S 0 0 0 0 0 1 0 ...

Page 178: ...IP RTP active connections No CallId dstCallId LocalRTP RmtRTP LocalIP RemoteIP 1 9 8 18618 19890 192 168 5 2 239 168 1 100 Found 1 active RTP connections The following is an output example for the show voice call summary command performed using the configuration on the Branch 2 router Branch 2 show voice call summary PORT CODEC VAD VTSP STATE VPM STATE 0 1 0 g711ulaw y S_CONNECT S_TRUNKED 0 1 1 FX...

Page 179: ...08 kbps Max Threshold 64 packets pkts matched bytes matched 0 0 depth total drops no buffer drops 0 0 0 Class map class default match any 75804 packets 9111740 bytes 5 minute offered rate 0 bps drop rate 0 bps Match any Queueing Flow Based Fair Queueing Maximum Number of Hashed Queues 256 total queued total drops no buffer drops 0 0 0 The following is an output example for the show crypto engine b...

Page 180: ...ken on the address to RP mapping database clear crypto isakmp Clears the security associations related to phase 1 clear crypto sa Clears the security associations related to phase 2 The following is an example of output for the debug crypto isakmp and debug crypto ipsec commands Relevant display output is shown in bold text and comments are preceded by an exclamation point and shown in italics rou...

Page 181: ...AKMP 0 2 SW 1 processing HASH payload message ID 0 REMOTE PEER IS SHOWN TO BE AUTHENTICATED IN THE NEXT LINE Jul 29 16 06 33 643 PDT ISAKMP 0 2 SW 1 SA authentication status authenticated Jul 29 16 06 33 643 PDT ISAKMP 0 2 SW 1 SA has been authenticated with 10 32 150 46 Jul 29 16 06 33 643 PDT ISAKMP Trying to insert a peer 10 32 152 26 10 32 150 46 500 and inserted successfully Jul 29 16 06 33 6...

Page 182: ...sal part 1 key eng msg INBOUND local 10 32 152 26 remote 10 32 150 46 local_proxy 10 32 152 26 255 255 255 255 47 0 type 1 remote_proxy 10 32 150 46 255 255 255 255 47 0 type 1 protocol ESP transform esp 3des esp sha hmac Tunnel lifedur 0s and 0kb spi 0x0 0 conn_id 0 keysize 0 flags 0x12 Jul 29 16 06 33 923 PDT Crypto mapdb proxy_match src addr 10 32 152 26 dst addr 10 32 150 46 protocol 47 src po...

Page 183: ...1 protocol ESP transform esp 3des esp sha hmac Tunnel lifedur 3600s and 4608000kb spi 0x833186D0 2201061072 conn_id 0 keysize 0 flags 0x1B Jul 29 16 06 33 935 PDT Crypto mapdb proxy_match src addr 10 32 152 26 dst addr 10 32 150 46 protocol 47 src port 0 dst port 0 Jul 29 16 06 33 935 PDT IPSEC crypto_ipsec_sa_find_ident_head reconnecting with the same proxies and 101 253 249 204 Jul 29 16 06 33 9...

Page 184: ...he Internet Generation olver EtherChannel EtherFast EtherSwitch Fast Step FormShare GigaDrive GigaStack HomeLink Internet Quotient IOS IP TV iQ Expertise the iQ ss Scorecard LightStream Linksys MeetingPlace MGX the Networkers logo Networking Academy Network Registrar Packet PIX Post Routing Pre RateMUX ScriptShare SlideCast SMARTnet StrataView Plus SwitchProbe TeleRouter The Fastest Way to Increas...

Page 185: ...upported Features on Your Router by Using Cisco Feature Navigator page 3 Finding Feature Documentation by Browsing Feature Modules by Cisco IOS Release page 4 Finding Feature Documentation by Browsing Cisco IOS Release Notes page 4 For a list of key supported features see the data sheet and other product literature for your router Additional IOS related technical documentation can be found at this...

Page 186: ... have forgotten your username or password click Cancel at the login dialog box and follow the instructions that appear Step 2 Click Search by Feature Step 3 Enter the feature name and click Search The search results appear in the Features Available box You may have to scroll down to see the Features Available box If the Features Available box displays None Available then try searching for a variat...

Page 187: ...uter Do one of the following as appropriate To access documentation for a specific feature on this list proceed to Step 5 To display a list of features that are supported in a specific Cisco IOS release use the Major Release or Release pull down menu to select the Cisco IOS release Cisco Feature Navigator displays a list of features that are supported by the selected Cisco IOS release on your rout...

Page 188: ...ation Step 4 Navigate to your Cisco IOS software release Step 5 Select the feature module Finding Feature Documentation by Browsing Cisco IOS Release Notes If you know the specific Cisco IOS release in which the feature was introduced you can browse the Cisco IOS release notes to find feature descriptions Note Cisco IOS release notes typically include descriptions only of uncomplicated features th...

Page 189: ...5 Finding Feature Documentation OL 5994 01 Finding Feature Documentation by Browsing Feature Modules by Cisco IOS Release ...

Page 190: ...o Cisco Unity Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Linksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Qu...

Page 191: ...Console Line Speed Cisco IOS CLI page 5 Platforms Supported by This Document Use this document with the following platforms Cisco 1800 series routers Cisco 2800 series routers Cisco 3800 series routers About the Configuration Register The router has a 16 bit configuration register in NVRAM Each bit has value 1 on or set or value 0 off or clear and each bit setting affects the router behavior upon ...

Page 192: ...bit 9 causes the system to boot from flash memory This bit is typically not modified 10 0x0400 Controls the host portion of the IP broadcast address Setting bit 10 causes the processer to use all zeros Factory default Clearing bit 10 causes the processor to use all ones Bit 10 interacts with bit 14 which controls the network and subnet portions of the IP broadcast address See Table 3 for the combi...

Page 193: ...ble 2 Boot Field Configuration Register Bit Descriptions Boot Field Bits 3 2 1 and 0 Meaning 0000 0x0 At the next power cycle or reload the router boots to the ROM monitor bootstrap program To use the ROM monitor you must use a terminal or PC that is connected to the router console port For information about connecting the router to a PC or terminal see the hardware installation guide for your rou...

Page 194: ...efault 8 data bits no parity and 2 stop bits Step 3 Power on the router Step 4 If you are asked whether you would like to enter the initial dialog answer no Would you like to enter the initial dialog yes no After a few seconds the user EXEC prompt Router appears Step 5 Enter privileged EXEC mode by typing enable and if prompted enter your password Router enable Password password Router Step 6 Ente...

Page 195: ... version command in privileged EXEC mode The configuration register settings are displayed in the last line of the show version command output Configuration register is 0x142 will be 0x142 at next reload Configuring the Console Line Speed Cisco IOS CLI The combined setting of bits 5 11 and 12 determines the console line speed You can modify these particular configuration register bits only from th...

Page 196: ...Unity Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Linksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient a...

Page 197: ... a system image upgrade the system image when there are no TFTP servers or network connections or for disaster recovery Contents Platforms Supported by This Document page 1 Prerequisites for Using the ROM Monitor page 1 Information About the ROM Monitor page 2 How to Use the ROM Monitor Typical Tasks page 3 Additional References page 31 Platforms Supported by This Document This document describes ...

Page 198: ...all except in the following uncommon situations Manually loading a system image You can load a system image without configuring the router to attempt to load that image in future system reloads or power cycles This can be useful for testing a new system image or for troubleshooting See the Loading a System Image boot section on page 10 Upgrading the system image when there are no TFTP servers or n...

Page 199: ...play command syntax options see the Displaying Commands and Command Syntax in ROM Monitor Mode help section on page 8 Accessibility This product can be configured using the Cisco command line interface CLI The CLI conforms to accessibility code 508 because it is text based and because it relies on a keyboard for navigation All functions of the router can be configured and monitored through the CLI...

Page 200: ...ing ROM Monitor Mode page 29 Note This section does not describe how to perform all possible ROM monitor tasks Use the command help to perform any tasks that are not described in this document See the Displaying Commands and Command Syntax in ROM Monitor Mode help section on page 8 ...

Page 201: ...and Enter ROM Monitor Mode This section describes how to enter ROM monitor mode by reloading the router and entering the Break key sequence SUMMARY STEPS 1 enable 2 reload 3 Press Ctrl Break DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 reload Example Router reload Reloads the operating system Step 3...

Page 202: ...section on page 8 If you use the Break key sequence to enter ROM monitor mode when the router would otherwise have booted the system image you can exit ROM monitor mode by doing one of the following Enter the i or reset command which restarts the booting process and loads the system image Enter the cont command which continues the booting process and loads the system image Setting the Configuratio...

Page 203: ...nters global configuration mode Step 3 config register 0x0 Example Router config config register 0x0 Changes the configuration register settings The 0x0 setting forces the router to boot to the ROM monitor at the next system reload Step 4 exit Example Router config exit Exits global configuration mode Step 5 write memory Example Router write memory Sets to boot the system image from flash memory S...

Page 204: ...Sep 23 16 01 41 571 SYS 5 RELOAD Reload requested by console Reload Reason Reload command System Bootstrap Version 12 4 13r T RELEASE SOFTWARE fc1 Technical Support http www cisco com techsupport Copyright c 2006 by cisco Systems Inc Initializing memory for ECC Router platform with 262144 Kbytes of main memory Main memory is configured to 64 bit mode with ECC enabled Readonly ROMMON initialized ro...

Page 205: ...s in file system dis display instruction stream dnld serial download a program module frame print out a selected stack frame help monitor builtin command help history monitor command history iomemset set IO memory percent meminfo main memory information repeat repeat a monitor command reset system reset rommon pref select ROMMON set display the monitor variables showmon display currently selected ...

Page 206: ...display a list of the files and directories in the file system use the dir command as shown in the following example rommon 4 dir flash program load complete entry point 0x8000f000 size 0xcb80 Directory of flash 3934 14871760 rw c2800nm ipbase mz 124 3 7211 1447053 rw C2800NM_RM2 srec rommon 5 dir usbflash1 program load complete entry point 0x8000f000 size 0x3d240 Directory of usbflash1 2 14871760...

Page 207: ...lash0 someimage In order the examples here direct the router to Boot the first image in flash memory Boot the first image or a specified image in flash memory Boot the specified image over the network from the specified TFTP server hostname or IP address Boot from the boothelper image because it does not recognize the device ID This form of the command is used to boot a specified image from a netw...

Page 208: ...t Ethernet interfaces 2 Serial sync async interfaces 2 Channelized T1 PRI ports DRAM configuration is 64 bits wide with parity enabled 239K bytes of non volatile configuration memory 253160K bytes of USB Flash usbflash1 Read Write 127104K bytes of ATA CompactFlash Read Write Press RETURN to get started Sep 23 16 11 42 603 USB_HOST_STACK 6 USB_DEVICE_CONNECTED A Full speed USB device has been inser...

Page 209: ...complete entry point 0x8000f000 size 0x3d240 program load complete entry point 0x8000f000 size 0xe2eb30 Self decompressing the image OK Smart Init is enabled Smart init is sizing iomem ID MEMORY_REQ TYPE 0003E9 0X003DA000 Router Mainboard 0X0014B430 DSP SIMM 0X000021B8 Onboard USB 0X002C29F0 public buffer pools 0X00211000 public particle pools TOTAL 0X009FAFD8 If any of the above Memory Requiremen...

Page 210: ... 58 951 LINEPROTO 5 UPDOWN Line protocol on Interface Serial0 3 0 changed state to down Sep 23 16 19 58 955 LINEPROTO 5 UPDOWN Line protocol on Interface Serial0 3 1 changed state to down Sep 23 16 20 00 139 SYS 5 CONFIG_I Configured from memory by console Sep 23 16 20 00 351 SYS 5 RESTART System restarted Cisco IOS Software 2800 Software C2800NM IPBASE M Version 12 4 3 RELEASE SOFTWARE fc2 Techni...

Page 211: ...tions If you use a PC to download a file over the router console port at 115 200 bps make sure that the PC serial port uses a 16550 universal asynchronous receiver transmitter UART If the PC serial port does not use a 16550 UART we recommend using a speed equal to or lower than 38 400 bps for downloading a file over the console port Transfer using the xmodem command works only on the console port ...

Page 212: ...tion register without affecting the baud rate use the the current configuration register setting by entering the show ver inc configuration command and then replacing the last rightmost number with a 0 in the configuration register command Table 1 xmodem Command Syntax Descriptions Keyword or Argument Description c Optional Performs the download using 16 bit cyclic redundancy check CRC error check...

Page 213: ...freg Configuration Summary enabled are console baud 9600 boot the ROM Monitor do you wish to change the configuration y n n y enable diagnostic mode y n n y enable use net in IP bcast address y n n y enable load rom after netboot fails y n n y enable use all zero broadcast y n n y enable break abort has effect y n n y enable ignore system config info y n n y change console baud rate y n n y enter ...

Page 214: ...le Output for the dir usbFlash Command rommon dir usbflash0 Directory of usbflash0 2 18978364 rw c3845 entbasek9 mz 124 0 5 Sample Output for the dev ROM Monitor Command rommon 2 dev Devices in device table id name flash compact flash bootflash boot flash usbflash0 usbflash0 Command or Action Purpose Step 1 dir usbflash x Example rommon dir usbflash1 Displays the contents of the USB flash device i...

Page 215: ...centage set by using the memory size iomem command that is saved in the NVRAM configuration If you need to set the router I O memory permanently by using a manual method use the memory size iomem Cisco IOS command If you set the I O memory from the Cisco IOS software you must restart the router for I O memory to be set properly SUMMARY STEPS 1 iomemset i o memory percentage DETAILED STEPS Examples...

Page 216: ...can enter the tftpdnld command you must set the ROM monitor environment variables Prerequisites Connect the TFTP server to a fixed network port on your router Restrictions LAN ports on network modules or interface cards are not active in ROM monitor mode Therefore only a fixed port on your router can be used for TFTP download This can be a fixed Ethernet port on the router that is either of the tw...

Page 217: ...T_GATEWAY 172 16 23 40 Sets the default gateway of the router Step 4 TFTP_SERVER ip_address Example rommon TFTP_SERVER 172 16 23 33 Sets the TFTP server from which the software will be downloaded Step 5 TFTP_FILE directory path filename Example rommon TFTP_FILE archive rel22 c2801 i mz Sets the name and location of the file that will be downloaded to the router Step 6 FE_PORT 0 1 Example rommon FE...

Page 218: ...ot available on Cisco 1800 series routers Cisco 2801 routers or Cisco 2811 routers Step 11 TFTP_CHECKSUM 0 1 Example rommon TFTP_CHECKSUM 0 Optional Determines whether the router performs a checksum test on the downloaded image 1 Checksum test is performed default 0 No checksum test is performed Step 12 TFTP_DESTINATION flash usbflash0 usbflash1 Example rommon TFTP_DESTINATION usbflash0 Optional D...

Page 219: ...0 No progress is displayed 1 Exclamation points are displayed to indicate file download progress This is the default setting 2 Detailed progress is displayed during the file download process for example Initializing interface Interface link state up ARPing for 1 4 0 1 ARP reply for 1 4 0 1 received MAC address 00 00 0c 07 ac 01 Step 17 set Example rommon set Displays the ROM monitor environment va...

Page 220: ...ot router crashes and hangs Most ROM monitor debug commands are functional only when the router crashes or hangs If you enter a debug command when crash information is not available the following error message appears xxx kernel context state is invalid can not proceed The ROM monitor commands in this section are all optional and can be entered in any order Router Crashes A router or system crash ...

Page 221: ...ocument for your router The jumper to be changed is DUART DFLT which sets the console connection data rate to 9600 regardless of user configuration The jumper forces the data rate to a known good value Restrictions Do not manually reload or power cycle the router unless reloading or power cycling is required for troubleshooting a router crash The system reload or power cycle can cause important in...

Page 222: ...n entire individual stack frame The default is 0 zero which is the most recent frame Step 4 sysret Example rommon sysret Optional Displays return information from the last booted system image The return information includes the reason for terminating the image a stack dump of up to eight frames and if an exception is involved the address at which the exception occurred Step 5 meminfo l Example rom...

Page 223: ...00 00000000 a0 00000000 0000002b s4 00000000 64219118 a1 00000000 00000003 s5 00000000 62ad0000 a2 00000000 00000000 s6 00000000 63e10000 a3 00000000 64219118 s7 00000000 63e10000 t0 00000000 00070808 t8 ffffffff e7400884 t1 00000000 00000000 t9 00000000 00000000 t2 00000000 63e10000 k0 00000000 00000000 t3 00000000 34018001 k1 00000000 63ab871c t4 ffffffff ffff80fd gp 00000000 63c1c2d8 t5 fffffff...

Page 224: ...c 0x63360000 0x642190f0 sp 0x020 0x63360000 0x642190f4 sp 0x024 0x6079ff70 Sample Output for the sysret ROM Monitor Command rommon 8 sysret System Return Info count 19 reason user break pc 0x801111b0 error address 0x801111b0 Stack Trace FP 0x80005ea8 PC 0x801111b0 FP 0x80005eb4 PC 0x80113694 FP 0x80005f74 PC 0x8010eb44 FP 0x80005f9c PC 0x80008118 FP 0x80005fac PC 0x80008064 FP 0x80005fc4 PC 0xfff0...

Page 225: ... Hangs Exiting ROM Monitor Mode This section describes how to exit ROM monitor mode and enter the Cisco IOS command line interface CLI The method that you use to exit ROM monitor mode depends on how your router entered ROM monitor mode If you reload the router and enter the Break key sequence to enter ROM monitor mode when the router would otherwise have booted the system image you can exit ROM mo...

Page 226: ...in flash memory Locate the system image that you want the router to load If the system image is not in flash memory use the second or third option in Step 2 Step 2 boot flash directory filename or boot filename tftpserver or boot filename Example ROMMON boot flash myimage Example ROMMON boot someimage 172 16 30 40 Example ROMMON boot In order the examples here direct the router to Boot the first i...

Page 227: ...631 Cisco 3725 and Cisco 3745 Routers Note These procedures also apply to Cisco 1841 series Cisco 2800 series and Cisco 3800 series routers Using the boot image Rx boot to recover or upgrade the system image How to Upgrade from ROMmon Using the Boot Image Booting and configuration register commands Cisco IOS Configuration Fundamentals Command Reference Loading and maintaining system images rebooti...

Page 228: ...tml CCVP the Cisco logo and Welcome to the Human Network are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn is a service mark of Cisco Systems Inc and Access Registrar Aironet Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Enterp...

Page 229: ... supported depends on router model Class B flash file system also known as the low end file system LEFS Class C flash file system similar to the standard DOS file system This document contains the following sections Platforms Supported by This Document page 1 Requirements and Restrictions page 2 Online Insertion and Removal page 2 How to Format CompactFlash Memory Cards page 3 File Operations on C...

Page 230: ...outers Support Class B and Class C flash file systems Support only external CF memory cards If you use a PC to format the CF memory cards you can format the cards with the Microsoft 16 bit File Allocation Table FAT16 Microsoft 32 bit File Allocation Table FAT32 or Microsoft Windows NT file system NTFS Alternatively you can format the CF memory card on the router Note When formatted on the router f...

Page 231: ... with a Class C flash file system The following examples show sample outputs for Class B and Class C flash file systems External Card with Class B Flash File System Example The geometry and format information does not appear Router show flash all Partition Size Used Free Bank Size State Copy Mode 1 125184K 20390K 104793K 0K Read Write Direct System Compact Flash directory File Length Name status a...

Page 232: ...eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee...

Page 233: ...he copy command in privileged EXEC mode To indicate a file that is stored in a CF memory card precede the filename with flash Examples Copying Files In the following example the file my config1 on the CF memory card is copied into the startup config file in the system memory Router copy flash my config1 startup config Destination filename startup config OK 517 bytes copied in 4 188 secs 129 bytes ...

Page 234: ...0000D0 00000001 10000003 8000CA80 00004B9C J K 000000E0 00000020 00000000 00000000 00000008 000000F0 00000000 0000002F 00000001 10000003 00000100 8000CAA0 00004BBC 00623FA4 00000000 J K b 00000110 00000000 00000008 00000000 3C1C8001 00000120 679C4A80 3C018001 AC3DC70C 3C018001 g J G 00000130 AC3FC710 3C018001 AC24C714 3C018001 G G 00000140 AC25C718 3C018001 AC26C71C 3C018001 G G 00000150 AC27C720 ...

Page 235: ...mand in privileged EXEC mode Deleting a File from a CompactFlash Memory Card with a Class B Flash File System Example In the following example the file c28xx i mz tmp is deleted from the external CF memory card Router delete flash c28xx i mz tmp Delete filename c28xx i mz tmp Delete flash c28xx i mz tmp confirm Because the file was deleted it does not appear when you enter the dir flash command Ro...

Page 236: ...Flash Memory Card Directory operations vary according to the formatted file system Class B or Class C The following sections describe directory operations for external CF memory cards on Cisco routers Entering a Directory and Determining Which Directory You Are In page 8 Creating a New Directory page 9 Removing a Directory page 10 Entering a Directory and Determining Which Directory You Are In To ...

Page 237: ...uter dir Directory of flash config 380 rw 6462268 Mar 08 2004 06 14 02 myconfig1 203 rw 6458388 Mar 03 2004 00 01 24 myconfig2 63930368 bytes total 51007488 bytes free Creating a New Directory To create a directory in flash memory enter the mkdir flash command in privileged EXEC mode Creating a New Directory Example In the following example a new directory named config is created then a new subdir...

Page 238: ...4 Cisco Systems Inc All rights reserved CCVP the Cisco logo and Welcome to the Human Network are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn is a service mark of Cisco Systems Inc and Access Registrar Aironet Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the C...

Page 239: ...grading the System Image page 1 Information About Upgrading the System Image page 2 How to Upgrade the System Image page 3 Additional References page 24 Platforms Supported by This Document Cisco 1800 series routers Cisco 2800 series routers Cisco 3800 series routers Restrictions for Upgrading the System Image Cisco 3800 series routers Cisco 2800 series routers and Cisco 1800 series routers suppor...

Page 240: ...e of the system image enter the show version command in user EXEC or privileged EXEC mode How Do I Choose the New Cisco IOS Release and Feature Set To determine which Cisco IOS releases and feature sets support your platform and required features go to Cisco Feature Navigator at http www cisco com go fn You must have an account on Cisco com If you do not have an account or have forgotten your user...

Page 241: ... you save backup copies of your current startup configuration file and Cisco IOS software system image file on a server For more detailed information see the Managing Configuration Files chapter and the Loading and Maintaining System Images chapter of the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide To save backup copies of the startup configuration file and the ...

Page 242: ... The router uses the default username and password Router dir flash System flash directory File Length Name status 1 4137888 c2800 image mz 4137952 bytes used 12639264 available 16777216 total 16384K bytes of processor board System flash Read Write Router copy flash tftp IP address of remote host 255 255 255 255 192 0 0 1 filename to write on tftp host c2800 image mz writing c2800 image mz success...

Page 243: ...st upgrade your DRAM See the hardware installation guide for your router DETAILED STEPS Step 1 Select the system image in the Download Software Area at the following URL http www cisco com kobayashi sw center index shtml You must have an account on Cisco com If you do not have an account or have forgotten your username or password click Cancel at the login dialog box and follow the instructions th...

Page 244: ...y requirements you must upgrade your DRAM See the hardware installation guide for your router What to Do Next Proceed to the Ensuring Adequate Flash Memory for the New System Image section on page 6 Ensuring Adequate Flash Memory for the New System Image This section describes how to check whether your router has enough flash memory to upgrade to the new system image and if necessary how to proper...

Page 245: ...an the new system image s minimum flash requirements proceed to Step 6 6 dir all flash 7 From the displayed output of the dir all flash command write down the names and directory locations of the files that you can delete 8 Optional copy flash tftp rcp 9 Optional Repeat Step 8 for each file that you identified in Step 7 10 delete flash directory path filename 11 Repeat Step 10 for each file that y...

Page 246: ...tmp deleted 2 6458208 c38xx i mz 12916544 bytes used 3139776 available 16056320 total 15680K bytes of ATA CompactFlash Read Write Step 4 From the displayed output of the dir flash command compare the number of bytes available to the minimum flash requirements for the new system image If the available memory is equal to or greater than the new system image s minimum flash requirements proceed to th...

Page 247: ...the file from flash memory When prompted enter the filename and the server s hostname or IP address Router copy flash tftp Step 9 Optional Repeat Step 8 for each file that you identified in Step 7 Step 10 delete flash directory path filename Use this command to delete a file in flash memory Router delete flash c38xx i mz tmp Delete filename c38xx i mz tmp cr Delete flash c38xx i mz tmp confirm cr ...

Page 248: ...ge 10 Using the ROM Monitor to Copy the System Image over a Network page 12 Using a PC with a CompactFlash Card Reader to Copy the System Image into Flash Memory page 15 Using Console Download xmodem in ROM Monitor to Copy the System Image into Flash Memory page 16 Using TFTP or Remote Copy Protocol to Copy the System Image into Flash Memory This section describes how to use TFTP or Remote Copy Pr...

Page 249: ...r the filename as you want it to appear on the router 6 If an error message appears that says Not enough space on device do one of the following as appropriate If you are certain that all the files in flash memory should be erased enter y twice when prompted to erase flash before copying If you are not certain that all files in flash memory should be erased press Ctrl Z and follow the instructions...

Page 250: ... confirm that flash memory will be erased before copying Accessing tftp 10 10 10 2 c2600 i mz 121 14 bin Erase flash before copying confirm y Erasing the flash filesystem will remove all files Continue confirm y Erasing device eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee If you are not certain that all the files in flash memory should be erased press Ctrl Z and follow the instructions in...

Page 251: ...ss configuration variable 4 Set the DEFAULT_GATEWAY ip_address configuration variable 5 Set the TFTP_SERVER ip_address configuration variable 6 Set the TFTP_FILE directory path filename configuration variable 7 Optional Set the GE_PORT 0 1 configuration variable 8 Optional Set the MEDIA_TYPE 0 1 configuration variable 9 Optional Set the TFTP_CHECKSUM 0 1 configuration variable 10 Optional Set the ...

Page 252: ... Protocol ARP and TFTP download The default is 7 attempts For example rommon TFTP_RETRY_COUNT 10 Step 11 Optional Set the amount of time in seconds before the download process times out The default is 2400 seconds 40 minutes The following example shows 1800 seconds 30 minutes TFTP_TIMEOUT 1800 Step 12 Optional Configure how the router will display the file download progress Usage is TFTP_VERBOSE 0...

Page 253: ... the compact flash memory card slot on the router chassis For help with locating the slot and instructions for removing and inserting the card see the hardware installation guide for your router Caution Removing the compact flash memory card may disrupt the network because some software features use the compact flash memory card to store tables and other important data SUMMARY STEPS 1 Remove the c...

Page 254: ...ns If you use a PC to download a Cisco IOS image over the router console port at 115 200 bps make sure that the PC serial port uses a 16550 universal asynchronous receiver transmitter UART If the PC serial port does not use a 16550 UART we recommend using a speed of 38 400 bps or lower when downloading a Cisco IOS image over the console port The xmodem transfer works only on the console port You c...

Page 255: ...e new system image from the Cisco IOS software Table 1 xmodem Command Syntax Descriptions Keyword or Argument Description c Optional Performs the download using 16 bit cyclic redundancy check CRC error checking to validate packets The default is 8 bit CRC y Optional Performs the download using ymodem protocol The default is xmodem protocol The protocols differ as follows The xmodem protocol suppor...

Page 256: ...it 12 copy run start 13 reload 14 When prompted to save the system configuration enter no 15 When prompted to confirm the reload enter y 16 show version DETAILED STEPS Step 1 dir flash Use this command to display a list of all files and directories in flash memory Router dir flash Directory of flash 3 rw 6458388 Mar 01 1993 00 00 58 c38xx i mz tmp 1580 rw 6462268 Mar 06 1993 06 14 02 c38xx i mz 28...

Page 257: ...any backup system images Step 6 exit Use this command to exit global configuration mode Router config exit Router Step 7 show version Use this command to display the configuration register setting Router show version Cisco Internetwork Operating System Software Configuration register is 0x0 Router Step 8 If the last digit in the configuration register is 0 or 1 proceed to Step 9 However if the las...

Page 258: ... Router show version 00 22 25 SYS 5 CONFIG_I Configured from console by console Cisco Internetwork Operating System Software System returned to ROM by reload System image file is flash c2600 i mz 121 14 bin What to Do Next Proceed to the Saving Backup Copies of Your New System Image and Configuration section on page 22 Loading the New System Image from ROM Monitor Mode This section describes how t...

Page 259: ...he boot system commands in the startup configuration file rommon confreg 0x2102 Step 3 boot flash partition number filename Use this command to force the router to load the new system image rommon boot flash C2600 j m2 113 4T Step 4 After the system loads the new system image press Return a few times to display the Cisco IOS CLI prompt Step 5 enable Use this command to enable privileged EXEC mode ...

Page 260: ...ecovery and to minimize downtime in the event of file corruption we recommend that you save backup copies of the startup configuration file and the Cisco IOS software system image file on a server Tip Do not erase any existing backup copies of your configuration and system image that you saved before upgrading your system image If you encounter serious problems using your new system image or start...

Page 261: ...lash directory File Length Name status 1 4137888 c2800 image mz 4137952 bytes used 12639264 available 16777216 total 16384K bytes of processor board System flash Read Write Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 copy nvram startup config ftp rcp tftp Example Router copy nvram startup config ftp Copies the st...

Page 262: ...i sw center index shtml1 Choosing and downloading system images Software Center at http www cisco com kobayashi sw center index shtml Loading and maintaining system images Cisco IOS Configuration Fundamentals and Network Management Configuration Guide Using external compact flash memory cards Using Compact Flash Memory Cards Removing inserting and upgrading compact flash memory cards hardware inst...

Page 263: ... including links to products technologies solutions technical tips and tools Registered Cisco com users can log in from this page to access even more content 1 1 You must have an account on Cisco com If you do not have an account or have forgotten your username or password click Cancel at the login dialog box and follow the instructions that appear http www cisco com public support tac home shtml ...

Page 264: ...r EtherChannel EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Linksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient and TransPath are regis...

Page 265: ...ization on Cisco Routers Technical Assistance Center TAC Website You must have an account on Cisco com to access the following tools If you do not have an account or have forgotten your username or password click Cancel at the login dialog box and follow the instructions TAC Case Collection Troubleshooting Assistant Error Message Decoder Research and resolve error messages Output Interpreter Gener...

Page 266: ... EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Linksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient and TransPath are registered trademar...

Reviews: